Several Cable Modem Models Affected by SNMP God Mode Flaw

A severe security flaw in the implementation of the SNMP protocol allows an attacker to take over at least 78 cable modem models, according to a team of researchers.

The vulnerability, tracked as CVE 2017-5135 but nicknamed StringBleed, affects the Simple Network Management Protocol (SNMP), a popular protocol invented in the 80s and used for managing network-connected devices.

StringBleed is an authentication bypass in SNMP v1 and v2

Since its creation, the protocol has gone through different versions, with the most recent being SNMPv3. According to Ezequiel Fernandez and Bertin Bervis, two security researchers from Argentina and Costa Rica, respectively, there is a flaw in the authentication mechanism of SNMPv1 and SNMPv2.

While v3 comes with support for a username-password combo for the authentication system, v1 and v2 rely on a very simplistic authentication procedure that implies sending a string inside an SNMP request from an SNMP client (app) to a device’s SNMP daemon.

The device reads this string inside the SNMP request, called a “community string,” and replies to the SNMP client request, either with data or by executing an action.

Once someone authenticates on the device, they have the ability to read or write data to the system with no restrictions.

StringBleed uncovered after casual security tests

Fernandez and Bervis say that during some tests where they were trying to brute-force an SNMP connection, they’ve seen several of their test gear respond to all authentication requests, regardless of the “community string” they’ve used.

Since the test gear that was exhibiting this behavior was a Cisco DPC3928SL modem/router, they’ve reached out to the company, thinking they’ve discovered a lone bug in the Cisco firmware.

Since Cisco had passed on the servicing of those types of devices to a company called Technicolor, the researchers brought up the issue with the latter. According to the research team, the company didn’t acknowledge the flaw and blamed it on an ISP that misconfigured its equipment.

This led researchers to conduct Internet-wide scans for the purpose of identifying the exact cause of the issue. Their results revealed the flaw affected the protocol itself, as they’ve found it affecting 78 different cable modem/router models, on the networks of different ISPs across the world.

StringBleed PoC available on GitHub

Researchers released proof-of-concept code on GitHub and set up a website to document the StringBleed flaw.

They’ve also released a list of vulnerable modem models, but with no vendor names. We filled in the hardware vendor’s name for the models we could easily identify via a Google search. We’ve also reached out to the researchers for a list complete with all vendor names.